Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Good! (Score 3, Interesting) 276

Don't provide any password to a border agent, or really anyone who doesn't need it.

My company is currently in the process of designing a special TPM style product that makes it very near impossible to enter a devices without being the one intended for reception. Well solutions like this do exist, ours is going to be fairly open, cheap and allow it to interface to almost device to which someone can write a low level kernel based driver. With our device, it makes it impossible to access the contents of anything on the device under encryption due to how the data is stored and decrypted. Without access to the exact key which is paired to the device under encryption, you may as well wipe the device because except in exceptional cases, where multiple keys are warranted, there is no other way in the device under encryption.

I'm bringing this up for this exact kind of situation, well traveling you can keep your data fully encrypted, have one of our keys at home, with the data it encrypted being unavailable physically until you arrive home, and you could carry a second key which can decrypt any data marked for use between the two keys or just the data encrypted well traveling, with the only way to view the date, to be in possession of a key physically, think very small USB thumb drive.

If the border needs access, they can get access themselves. You're not stopping them by giving your phone, and you're not stopping them by refusing to give up a password or encryption key, you're simply protecting your right against possible self incrimination, and if the border patrol is actually qualified in the first place to do a job that would be require decryption information on a phone, they should be able to do it regardless of what you put on it. I know that's a ridiculous statement, but it works. You shouldn't have to provide access to your personal data, to anyone. If anyone wants access, they can get access themselves without you.

I even once gave the border an entire database encrypted with our key solution, told them how it was encrypted and that the key for decryption was already sitting at an office in the US, so even if I wanted to get the data, I couldn't, they had no choice but to let me travel. You're not blacking anything by refused to decrypt data or let them into the system. In our case, we're going to the Nth degree and making it a physical problem, where it doesn't matter if you know the password, because it's point to point tied down.

I support anyone who refused to give up access, it's the right thing to do, the access isn't theirs and if it is, they can enter it themselves.

Comment It really is very insecure (Score 1) 150

Currently I work for startup and my job is to secure our web based protect, which includes enforcing login authentication, encryption standards, database usage and more.

The method we use to employ was a tri-factor authentication system, password, TOTP and SMS / Email based tokenization, but we've officially taken the SMS authenticator away because just as this post points out, you have to guarantee who has the phone and somehow confirm the phone which received the SMS is the phone which was meant to.

Think of this concept as having an IP Address, you can send a message to IP and you have to assume that where it ends up is the right destination, because you have to assume the person saying they're is who was assigned that IP Address and not someone who basically stole it and is using it in an unauthorized fashion.

The better way to handle this kind of access security is to use AES_CCM based tokens that have TOTP built into them and force a login through use of a mutli-hop path that gets created and is active only for X Minutes after the user tries to login with their password. How this is works is that after you get the password, you generate a path descriptor which can talk with your Secure DNS. You encrypt this information with some form of AES (or any other standard). You put this information into a secured database system such as MongoDB with the FIPS compliance module active, and then send an email to person X with a link that activates the SDNS module, to read the string from the database, unencrypt it, develop a dynamic path to the end point and request the users TOTP from something they have. Once the user is logged in, you scramble all this information, then securely wipe it from both the program, memory and database and start all over.

Comment Education? (Score 1) 510

If creationism wants equal footing in schools it should be held to a few standards:

1). Needs to have testable, provable and repeatable experiments.
2) It needs to be defended from multiple sources, as in you can't use the bible to defend it.
3) It needs to be taught with no religious overtone.

Creationism is a view held by the uneducated and the demented, when your entire theory is: "God did it", you've failed at all costs to provide anyone with a theory or even rational thought, and this is why it doesn't belong in schools.

Comment QC? (Score 3, Insightful) 211

It's almost as if you can hire people to test your software to make sure MAJOR problems like this don't sneak through. This is not an obscure memory leak, which lead to a date error causing a segfault, this is a MAJOR requirement being mis-implemented, which I'm sure is just as much on the requirements level as it is on the coding level.

Comment I wrote one (Score 1) 227

In college I found i was unable to keep a standard notebook because I never found myself opening it to actually write anything. I looked online for a solution but there was nothing that really fulfilled the logging need. I ended up writing one that was a multiple platform system, which every X amount time, configurable in a web interface, a windows written in C with GTK would open on the desktop or phone, requiring you to enter a message so it could log it back to the server. the system used multi stage encryption and had a web portal where you could view, but not edit, all the messages. It had user accounts and pretty much everything you'd need to keep a rocking lab book.

Comment Canada has the same issue (Score 1) 278

Standardized tests would work if anyone could standardize to a curriculum or qualification for a teacher. the problem is that you have teacher X with skills Y and teaching ability Z, going up against a teacher T with skills Y and teaching ability U. When the standardized test comes, it's really up to the student to see how well they've managed to absorb the information from the teacher and convert it to a style that will work for the test. The entire system is designed to fail and no one seems to care.

To make this work you'd have to hard line that a teacher must teach to a standard A, they must know material to a standard B and they much have skills C, D and E. Then you'd have to release a curriculum that was designed to hand hold the teacher to teach it as F and allow the students to absorb the information in form G. It will never work and the no one can seem to understand this. It will never work as long as you can't enforce an absolute standard.

Slashdot Top Deals

Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms.